Sanctum AuthenticateSession issue with api endpoints from frontend with EnsureFrontendRequestsAreStateful #579
Description
Sanctum Version
4.2.2
Laravel Version
12.45.1
PHP Version
8.5.0
Database Driver & Version
Postgres
Description
With a user logged in via socialite (so password is null in the users table) - frontend web access is fine - but calling API endpoints from the browser results in 500s:
{
"message": "Laravel\\Sanctum\\Http\\Middleware\\AuthenticateSession::validatePasswordHash(): Argument #2 ($passwordHash) must be of type string, null given, called in /var/www/vendor/laravel/sanctum/src/Http/Middleware/AuthenticateSession.php on line 53",
"exception": "TypeError",
"file": "/var/www/vendor/laravel/sanctum/src/Http/Middleware/AuthenticateSession.php",
"line": 117,
"trace": [
{
"file": "/var/www/vendor/laravel/sanctum/src/Http/Middleware/AuthenticateSession.php",
"line": 53,
"function": "validatePasswordHash",
"class": "Laravel\\Sanctum\\Http\\Middleware\\AuthenticateSession",
"type": "->"
},
{
"function": "{closure:Laravel\\Sanctum\\Http\\Middleware\\AuthenticateSession::handle():53}",
"class": "Laravel\\Sanctum\\Http\\Middleware\\AuthenticateSession",
"type": "->"
},
<snip>
The getAuthPassword func states it returns a string - but it returns null when using socialite users where the password is not stored in laravel at all.
Steps To Reproduce
- Log in as a socialite user (a user with password set to null in the db)
- Make a frontend request to an api endpoint in your app (where EnsureFrontendRequestsAreStateful is part of the api middleware)
- In testing, the first call sometimes worked, but the second onwards wouldnt
- Prior to Laravel 12.45 and Sanctum 4.2.2 this would work. After, it doesn't.